Subscribe to our Threatpost Today newsletter

Join thousands of people who receive the latest breaking cybersecurity news every day.

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

*

*

I agree to my personal data being stored and used to receive the newsletter

*

I agree to accept information and occasional commercial offers from Threatpost partners

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

Drupalgeddon 2.0 Still Haunting 115K+ Sites

More than 115,000 sites are still vulnerable to a highly critical Drupal bug – even though a patch was released three months ago.

More than 115,000 sites are still vulnerable to a highly critical Drupal bug – even though a patch was released three months ago.

When it was first revealed, the bug, which has been dubbed Drupalgeddon 2.0, impacted an estimated 1+ million sites running Drupal – including major U.S. educational institutions and government organizations around the world.According to researcher Troy Mursch, up to 115,070 sites are still vulnerable, including websites of a large television network, a mass media and entertainment conglomerate and two “well-known computer hardware manufacturers.”

A patch for the critical remote-code execution bug (CVE-2018-7600), has been available since March. Drupalgeddon 2.0 “potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being completely compromised,” according to MITRE’s Common Vulnerabilities and Exposures bulletin.

Mursch said he located almost 500,000 sites using Drupal 7 (the most widely used version) using the source-code search engine PublicWWW. Any site using at least version 7.58 was not considered vulnerable, as Drupal CMS versions before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 are impacted (along with the Drupal 6 and 8.3.x and 8.4.x releases, according to Drupal).

I've shared the list of 115,070 vulnerable Drupal sites with @USCERT_gov and @drupalsecurity. Due to the highly critical risk of CVE-2018-7600 being exploited, the list won't be shared publicly.

Of those sites, more than 115,000 were vulnerable, said Mursch, but it may be more: He said he could not ascertain the versions used for 225,056 of the sites. Around 134,447 sites were not vulnerable.

Mursch told Threatpost he has passed along the list of impacted sites to CERTs and other government organizations for help notifying them.

Meanwhile, while the researcher was scanning for vulnerable sites, he also found yet another new cryptojacking campaign targeting Drupal websites.

The campaign, which uses the domain name upgraderservices[.]cf to inject Coinhive, impacts over 250 websites, including a police department’s website in Belgium and the Colorado Attorney General’s office.

Coinhive is a company that offers a Monero JavaScript miner to websites as a nontraditional way to monetize website content. Coinhive’s JavaScript miner software is often used by hackers, who sneakily embed the code into websites and then mine Monero currency by tapping the CPU processing power of unwitting site visitors’ phones, tablets and computers.

The cryptomining campaign is only the most recent one to take advantage of the headache that is the Drupal glitch.Earlier in May, researchers at Imperva Incapsula found a cryptomining malware dubbed “kitty” targeting servers and browsers open to Drupalgeddon 2.0. Also, a botnet dubbed Muhstik installs cryptocurrency miners and launches DDoS attacks via compromised systems. More recently, attackers behind a ransomware attack hitting the Ukrainian Energy Ministry appear to have made use of the highly critical remote-code execution bug.

“This latest cryptojacking campaign is yet another example of Drupal websites being exploited on a mass scale,” Mursch said. “If you’re a website operator using Drupal’s content management system, you need to update to the latest available version ASAP.”

Authors

Threatpost

InfoSec Insider Post

InfoSec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored

Sponsored Post

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.